New Report Details the Extent of Damage Done by OPM Data Breaches

A new report from the House Committee on Oversight and Government Reform explains how the security breaches of OPM’s computer networks occurred and attempts to provide answers to federal workers who may be wondering how and why their personal information was left vulnerable.

Was your personal information compromised in the data breaches of the Office of Personnel Management’s computer networks? Chances are it was since it was announced that between two cybersecurity breaches, over 25 million current and former federal employees’ data records were potentially left vulnerable.

The House Committee on Oversight and Government Reform released a lengthy and scathing report today with detailed information about the data breaches that occurred at OPM. According to Chairman Jason Chaffetz (R-UT), one of the reasons for publishing the report is to provide answers to federal workers who were impacted.

“For those whose personal information was compromised, I hope this report provides some answers on the how and why,” wrote Chaffetz.

The report begins with a detailed timeline of events dating back to 2012 that led to the breaches and culminating with the resignation of OPM CIO Donna Seymour in February 2016.

What did the hackers want, and what did they get?

There are some sobering facts in the report. As to why the breach occurred, the report says it was an effort to collect data on employees of the US government, and if that is the case, the hackers were quite successful.

Personnel files of 4.2 million current and former federal employees were “exfiltrated” along with security clearance background investigation information of an additional 21.5 million people. Also, fingerprint data on 5.6 million of these federal employees was stolen in the attacks.

The report says that the security clearance background information, in particular, is some of the most troubling to have been exposed. “The intelligence and counterintelligence value of the stolen background investigation information for a foreign nation cannot be overstated, nor will it ever be fully known. Nor is there any way to remedy the problem now that the information is in the hands of our adversaries.” according to the report.

How did the breach happen?

According to the report, blame for the breach lies squarely on OPM. “The agency [OPM] failed to prioritize cybersecurity and adequately secure high value data,” states the report.

It draws this conclusion in part by citing reports from OPM’s inspector general dating back as far as 2005 that information maintained by the agency was vulnerable to hackers, yet OPM failed to take these precautions seriously.

“Had OPM implemented basic, required security controls and more expeditiously deployed cutting edge security tools when they first learned hackers were targeting such sensitive data, they could have significantly delayed, potentially prevented, or significantly mitigated the theft,” according to the report.

It also goes on to state that OPM intentionally misled Congress and the American public to downplay the damage done by the breaches. The report says that the agency initially said that the 2014 and 2015 breaches were not connected when it turns out they were, and accused then OPM CIO Donna Seymour of making false statements to Congress about the data breaches.

A copy of the report is included below.

The OPM Data Breach: How the Government Jeopardized Our National Security for More Than a Generation

About the Author

Ian Smith is one of the co-founders of FedSmith.com. He has over 20 years of combined experience in media and government services, having worked at two government contracting firms and an online news and web development company prior to his current role at FedSmith.